Patchstack mVDP / Security Suite Policy & Rules

General rules

1. Patchstack is the provider of both the Patchstack mVDP and Patchstack Security Suite programs. These rules govern the operation, participation, and procedures applicable to both programs and any related processes.
2. Patchstack reserves the right to modify, update, or replace these rules at any time, with or without prior notice.
3. Support is available through two official channels. You can create a support ticket by emailing triage@patchstack.com, or in urgent cases, contact mvdp@patchstack.com directly.
4. For assistance related to identified vulnerabilities or vulnerability data listed in the vulnerability database and CVEs, please contact us at triage@patchstack.com.
5. By submitting information and requesting an account, you agree to be bound by all applicable rules of the Patchstack mVDP and Patchstack Security Suite programs.
6. Programs are designed for developers, owners, vendors, and distributors of software that falls within the scope defined by the Patchstack, including but not limited to the WordPress ecosystem.
7. Activation of accounts and participation in the program for each product are subject to specific actions (activation) and the submission of required data by the Vendor.
8. Patchstack assumes no legal responsibility for any damage or loss arising from the use of the Patchstack mVDP and Patchstack Security Suite programs, as all information and actions associated with these services inherently involve cybersecurity risks.
9. The Vendor is solely responsible for maintaining the confidentiality and security of account credentials and for controlling access to any information available through their program accounts.
10. The Vendor is obligated not to share, disclose, or distribute any data accessed through the any program dashboard with third parties without Patchstack's prior written consent.
11. Any information made available to the Vendor through the program may not be stored, shared outside of the program, or reused for other products or services without Patchstack's prior written consent.
12. The Vendor undertakes to share all information related to vulnerabilities discovered in its software products, whether identified independently or by third parties, and to make all reasonably available information accessible to the Patchstack.
13. Patchstack offers multiple submission options for Vendors to share information about vulnerabilities, including a reporting form, embedded reporting form, or email. Vendors are required to forward all vulnerabilities discovered internally or reported by third parties to Patchstack. This ensures proper coordination and helps prevent data duplication or collision.
14. The Vendor shall maintain the confidentiality of all communication and data exchanged between the Vendor and Patchstack. Vendor shall not share it with any third parties or publish it on public resources without Patchstack's prior written consent.
15. The Vendor agrees to adhere to all rules ensuring data confidentiality, including after account cancellation, deletion or software transfer to any third party.
16. The Vendor acknowledges that all information collected and stored by Patchstack through the program is the sole property of Patchstack. The Vendor waives any legal rights or claims to such information, including in the event of account cancellation or deletion.
17. Vendors are required to provide accurate, functional, and reliable contact information - specifically valid email addresses that will be used for all communications related to the programs and vulnerability handling.
18. By participating, Vendors agree to maintain a response time of no more than 48 hours to any messages sent by Patchstack.
19. Vendors agree to prioritize recognized cybersecurity industry standards over their internal policies and timelines. This ensures that vulnerability management processes conducted by Patchstack can proceed without obstruction and in accordance with industry best practices and expectations.
20. Patchstack reserves the right to assign CVE identifiers and publicly disclose any vulnerability with a CVSS base score of 2.4 or higher (CVSS v3.1).
21. The Vendor may request that Patchstack assign a CVE ID and execute the vulnerability processing and disclosure cycle for vulnerabilities discovered internally or independently reported directly to the Vendor by third parties.
22. Patchstack may also refuse to assign CVE IDs to vulnerabilities with a CVSS score of 2.3 or lower (CVSS v3.1).
23. By submitting a premium component to the mVDP program, the Vendor agrees to provide the associated software (latest version) to Patchstack upon request at any time for the purposes of report or patch validation. At the time of submission, Vendors are also expected to provide the latest version of the software component so that Patchstack has a current and accurate software sample.
24. Vendors acknowledge and accept that the Patchstack Research Team, along with security researchers participating in the Patchstack Bug Bounty program, may actively analyze submitted components for vulnerabilities. Any identified vulnerabilities will be processed according to Patchstack’s established procedures.
25. By participating, Vendors agree to comply with the Patchstack Vulnerability Disclosure Policy, as well as any other applicable policies and rules governing vulnerability processing.
26. Vendors agree to maintain professional and respectful communication at all times and must refrain from making any negative public or private statements against security researchers or vulnerability discoverers. Any form of inappropriate communication may result in the immediate termination of the Vendor's participation in Patchstack programs and may carry additional consequences related to the handling and disclosure of vulnerabilities.
27. Patchstack reserves the right to publicly disclose additional details about certain vulnerabilities to support the education of the cybersecurity community, to help other organizations access critical information more quickly in the event of active exploitation (0days), and in any other appropriate circumstances not explicitly mentioned. These disclosures are made at Patchstack’s discretion and in accordance with responsible disclosure practices.
28. Vendors have the right to request specific coordination regarding vulnerability disclosure. However, such requests must align with the Patchstack Vulnerability Disclosure Policy and established cybersecurity industry standards. Patchstack and the Vendor may mutually agree on a tailored disclosure process if there is a valid reason to deviate from the standard approach. These exceptions are considered on a case-by-case basis and do not apply to all disclosures by default.
29. Failure to respond to vulnerability management communications within 72 hours may result in Patchstack proceeding with public disclosure of the vulnerability, if it is determined that disclosure is the safer and more responsible course of action in the given situation.
30. If a Vendor accidentally gains access to sensitive information unrelated to their own software components, they are required to report the incident as soon as possible by contacting mvdp@patchstack.com or triage@patchstack.com.
31. Patchstack also encourages Vendors to actively contribute to the improvement of both programs by submitting suggestions, bug reports, or feedback related to user interface, functionality, or payment issues to mvdp@patchstack.com for further review and resolution.
32. The order of tasks are determined and managed exclusively by Patchstack. Tasks are handled based on overall efficiency rather than individual preference or request. Exceptions to this order are made only in critical cases that require immediate attention from the Patchstack team, such as active exploitation of known vulnerabilities or other urgent security threats.
33. Any attempt to misuse the programs for malicious purposes, including impersonating legitimate Vendors, attempting to extract sensitive information, or carrying out any form of cyberattack will be treated as a serious violation. Such actions may result in immediate account termination and can lead to legal prosecution of all involved parties.

mVDP program-specific rules

34. mVDP (Managed Vulnerability Disclosure Program) is a free service offered and provided by Patchstack without any guarantees, warranties, or legal obligations, including any liability for damages or losses arising from its use.
35. The primary goal of the program is to make industry-standard vulnerability management accessible to the entire open-source community. Additionally, participation may attract attention from independent security researchers in the Patchstack Bug Bounty Program, who are incentivized to review the software for potential vulnerabilities. This is encouraged through an Bug Bounty Program AXP points boost applied to software components with an active mVDP, although such reviews are not guaranteed.
36. The mVDP program is open to all eligible software developers, vendors, owners, and distributors within the WordPress ecosystem who own and control in-scope software components. To participate, applicants must demonstrate ownership or rights to the specific software and show a clear intent to join the program. This includes providing the required information and adding the necessary VDP disclaimer to the software component files and relevant webpages, ensuring that vulnerability reporters can easily locate the program details.
37. By activating the mVDP program for each software component, the Vendor agrees to all related rules and requirements and declares that Patchstack is the official provider of the Vulnerability Disclosure Program (VDP) for the specified software component.
38. No payments are required from program users, as the program is completely free to ensure accessibility for all open-source developers, regardless of their product’s popularity or level of monetization. This applies equally to both free and premium software products.
39. A Patchstack mVDP account gives you full visibility and control over the vulnerability management process for your software components enrolled in the program. Through your account, you can monitor reported vulnerabilities, track their statuses, view comments from the triage team, submit patches, and check patch validation progress. You will also have access to a complete history of all disclosed vulnerabilities for each specific software component.

Security Suite program-specific rules

40. This is a premium suite of services provided by Patchstack, available through a monthly subscription payment model.
41. The monthly fee for the Security Suite is $75. However, this price may be subject to change at any time without prior notice due to increased infrastructure costs and other relevant factors.
42. Patchstack reserves the right to change, add to, limit, or remove services included in the suite at any time without prior notice.
43. The Suite includes experimental features for which no warranty is provided regarding the accuracy or reliability of the results. The Suite is offered on an "as is" basis, without any warranties or guarantees.
44. Each month, Security Suite users receive three (3x) AI code review scanner credits, which may be used to scan software for potential vulnerabilities.
45. The AI code review scanner accepts software archives (only ZIP files) containing up to a maximum of 100 PHP files. There is no dialog or interaction with the AI scanner, as it operates in a predefined and pre-trained manner.
46. Certain individual scans or multiple scans of various software components may require additional credits, which can be purchased directly through the Security Suite dashboard.
47. The AI code review scanner is an experimental feature under active development, and its scanning results may vary over time as the underlying engine evolves and is continuously improved.
48. As previously stated, the AI code review scanner is an experimental feature, and the accuracy of its results cannot be guaranteed at this stage of development, as outcomes depend on numerous factors, including input parameters, data quality, and software logic.
49. Scanner results are not generated instantly and may require additional time, particularly during periods of high demand caused by multiple scans in the queue or scans that require greater computational resources.
50. The Security Suite includes a team management feature that allows access for up to five users under a single account.
51. Only the primary user has the authority to invite additional team members, manage payments, and purchase credits.
52. If the subscription is cancelled and the Security Suite reverts to the free mVDP program, only the primary user will retain access, and team functionality will be disabled.
53. AI scanner credits are available in bundles of 3, 5, and 10 credits, priced at $45, $70, and $120, respectively.
54. Credit prices may be changed at any time without prior notice due to fluctuations in infrastructure costs and processing expenses.
55. Patchstack assumes no legal or financial liability if third parties use the AI scanner for purposes that are illegal or otherwise prohibited. Any damage caused by the scanner's results and responsibility for its use lies with the user.
56. The scanner results may not be publicly shared or distributed to third parties, as they may contain sensitive information.
57. Users agree that all vulnerabilities discovered by the scanner in submitted software will be handled through the usual process. The discovery will be credited to the Patchstack AI code review scanner. Each discovered vulnerability will be disclosed in accordance with industry standards and applicable laws or requirements.
58. Patchstack reserves the right not to disclose the methods used by the scanner to find vulnerabilities, the technical solutions applied, or the data used for training and fine-tuning the scanner.
59. Patchstack reserves the right to read, store, analyze, and use or reuse the AI code review scanner results at its discretion.
60. The AI code review scanner is accessible only via the Security Suite dashboard.
61. The Patchstack Security Suite includes a team management feature that supports up to five users per account. The account administrator can invite up to four additional team members and manage their access at any time. While all team members have full access to vulnerability data and program-related information, only the administrator can manage team membership, handle payments, and purchase AI credits.
62. Vendors agree not to grant access to unrelated third parties through the additional seats provided within the Patchstack Security Suite. All assigned seats must be used exclusively by individuals who are directly involved with the Vendor's organization and relevant to the program’s operations.